[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v8 14/18] luks2: Better error handling when setting up the cr
From: |
Daniel Kiper |
Subject: |
Re: [PATCH v8 14/18] luks2: Better error handling when setting up the cryptodisk |
Date: |
Thu, 10 Dec 2020 17:07:07 +0100 |
User-agent: |
NeoMutt/20170113 (1.7.2) |
On Tue, Dec 08, 2020 at 04:45:45PM -0600, Glenn Washburn wrote:
> First, check to make sure that source disk has a known size. If not, print
> debug message and return error. There are 4 cases where
> GRUB_DISK_SIZE_UNKNOWN is set (biosdisk, obdisk, ofdisk, and uboot), and in
> all those cases processing continues. So this is probably a bit
> conservative. However, 3 of the cases seem pathological, and the other,
> biosdisk, happens when booting from a cd. Since I doubt booting from a LUKS2
> volume on a cd is a big use case, we'll error until someone complains.
>
> Do some sanity checking on data coming from the luks header. If segment.size
> is "dynamic", verify that the offset is not past the end of disk. Otherwise,
> check for errors from grub_strtoull when converting segment size from
> string. If a GRUB_ERR_BAD_NUMBER error was returned, then the string was
> not a valid parsable number, so skip the key. If GRUB_ERR_OUT_OF_RANGE was
> returned, then there was an overflow in converting to a 64-bit unsigned
> integer. So this could be a very large disk (perhaps large raid array).
> In this case, we want to continue to try to use this key, but only allow
> access up to the end of the source disk.
>
> Signed-off-by: Glenn Washburn <development@efficientek.com>
> ---
> grub-core/disk/luks2.c | 84 ++++++++++++++++++++++++++++++++++++++++--
> include/grub/disk.h | 17 +++++++++
> 2 files changed, 98 insertions(+), 3 deletions(-)
>
> diff --git a/grub-core/disk/luks2.c b/grub-core/disk/luks2.c
> index 9abcb1c94..8cb11e899 100644
> --- a/grub-core/disk/luks2.c
> +++ b/grub-core/disk/luks2.c
> @@ -600,12 +600,26 @@ luks2_recover_key (grub_disk_t source,
> goto err;
> }
>
> + if (source->total_sectors == GRUB_DISK_SIZE_UNKNOWN)
> + {
> + /* FIXME: Allow use of source disk, and maybe cause errors in read. */
> + grub_dprintf ("luks2", "Source disk %s has an unknown size, "
> + "conservatively returning error\n", source->name);
> + ret = grub_error (GRUB_ERR_BUG, "Unknown size of luks2 source device");
> + goto err;
> + }
> +
> /* Try all keyslot */
> for (json_idx = 0; json_idx < size; json_idx++)
> {
> + typeof(source->total_sectors) max_crypt_sectors = 0;
> +
> + grub_errno = GRUB_ERR_NONE;
> ret = luks2_get_keyslot (&keyslot, &digest, &segment, json, json_idx);
> if (ret)
> goto err;
> + if (grub_errno != GRUB_ERR_NONE)
> + grub_dprintf ("luks2", "Ignoring unhandled error %d from
> luks2_get_keyslot\n", grub_errno);
>
> if (keyslot.priority == 0)
> {
> @@ -619,11 +633,75 @@ luks2_recover_key (grub_disk_t source,
> crypt->offset_sectors = grub_divmod64 (segment.offset,
> segment.sector_size, NULL);
> crypt->log_sector_size = sizeof (unsigned int) * 8
> - __builtin_clz ((unsigned int) segment.sector_size) - 1;
> + /* Set to the source disk size, which is the maximum we allow. */
> + max_crypt_sectors = grub_disk_convert_sector(source,
> + source->total_sectors,
> + crypt->log_sector_size);
> +
> + if (max_crypt_sectors < crypt->offset_sectors)
> + {
> + grub_dprintf ("luks2", "Segment \"%"PRIuGRUB_UINT64_T"\" has offset"
> + " %"PRIuGRUB_UINT64_T" which is greater than"
> + " source disk size %"PRIuGRUB_UINT64_T","
> + " skipping\n",
> + segment.idx, crypt->offset_sectors,
> + max_crypt_sectors);
> + continue;
> + }
> +
> if (grub_strcmp (segment.size, "dynamic") == 0)
> - crypt->total_sectors = (grub_disk_get_size (source) >>
> (crypt->log_sector_size - source->log_sector_size))
> - - crypt->offset_sectors;
> + crypt->total_sectors = max_crypt_sectors - crypt->offset_sectors;
> else
> - crypt->total_sectors = grub_strtoull (segment.size, NULL, 10) >>
> crypt->log_sector_size;
> + {
> + grub_errno = GRUB_ERR_NONE;
> + /* Convert segment.size to sectors, rounding up to nearest sector */
> + crypt->total_sectors = grub_strtoull (segment.size, NULL, 10);
> + crypt->total_sectors = ALIGN_UP (crypt->total_sectors,
> + 1 << crypt->log_sector_size);
> + crypt->total_sectors >>= crypt->log_sector_size;
> +
> + if (grub_errno == GRUB_ERR_NONE)
> + ;
> + else if (grub_errno == GRUB_ERR_BAD_NUMBER)
> + {
> + grub_dprintf ("luks2", "Segment \"%"PRIuGRUB_UINT64_T"\" size"
> + " \"%s\" is not a parsable number\n",
> + segment.idx, segment.size);
> + continue;
> + }
> + else if (grub_errno == GRUB_ERR_OUT_OF_RANGE)
> + {
> + /*
> + * There was an overflow in parsing segment.size, so disk must
> + * be very large or the string is incorrect.
> + */
> + grub_dprintf ("luks2", "Segment \"%"PRIuGRUB_UINT64_T"\" size"
> + " %s overflowed 64-bit unsigned integer,"
> + " the end of the crypto device will be"
> + " inaccessible\n",
> + segment.idx, segment.size);
> + if (crypt->total_sectors > max_crypt_sectors)
I think this if is bogus. You should clamp crypt->total_sectors
without any checks here.
> + crypt->total_sectors = max_crypt_sectors;
> + }
> + }
> +
> + if (crypt->total_sectors == 0)
> + {
> + grub_dprintf ("luks2", "Segment \"%"PRIuGRUB_UINT64_T"\" has zero"
> + " sectors, skipping\n",
> + segment.idx);
> + continue;
> + }
> + else if (max_crypt_sectors < (crypt->offset_sectors +
> crypt->total_sectors))
> + {
> + grub_dprintf ("luks2", "Segment \"%"PRIuGRUB_UINT64_T"\" has last"
> + " data position greater than source disk size,"
> + " the end of the crypto device will be"
> + " inaccessible\n",
> + segment.idx);
> + /* Allow decryption up to the end of the source disk. */
> + crypt->total_sectors = max_crypt_sectors - crypt->offset_sectors;
> + }
>
> ret = luks2_decrypt_key (candidate_key, source, crypt, &keyslot,
> (const grub_uint8_t *) passphrase, grub_strlen
> (passphrase));
> diff --git a/include/grub/disk.h b/include/grub/disk.h
> index 0fb727d3d..f9227f285 100644
> --- a/include/grub/disk.h
> +++ b/include/grub/disk.h
> @@ -27,6 +27,8 @@
> #include <grub/device.h>
> /* For NULL. */
> #include <grub/mm.h>
> +/* For ALIGN_UP. */
> +#include <grub/misc.h>
>
> /* These are used to set a device id. When you add a new disk device,
> you must define a new id for it here. */
> @@ -174,6 +176,21 @@ typedef struct grub_disk_memberlist
> *grub_disk_memberlist_t;
> /* Return value of grub_disk_native_sectors() in case disk size is unknown.
> */
> #define GRUB_DISK_SIZE_UNKNOWN 0xffffffffffffffffULL
>
> +/* Convert sector number from disk sized sectors to a log-size sized sector.
> */
> +static inline grub_disk_addr_t
> +grub_disk_convert_sector (grub_disk_t disk,
> + grub_disk_addr_t sector,
> + grub_size_t log_sector_size)
> +{
> + if (disk->log_sector_size < log_sector_size)
> + {
> + sector = ALIGN_UP (sector, 1 << (log_sector_size /
> disk->log_sector_size));
s#/#-#?
> + return sector >> (log_sector_size - disk->log_sector_size);
> + }
> + else
> + return sector << (disk->log_sector_size - log_sector_size);
> +}
Daniel
- [PATCH v8 17/18] misc: Add grub_log2ull macro for calculating log base 2 of 64-bit integers, (continued)
- [PATCH v8 17/18] misc: Add grub_log2ull macro for calculating log base 2 of 64-bit integers, Glenn Washburn, 2020/12/08
- [PATCH v8 02/18] misc: Add parentheses around ALIGN_UP and ALIGN_DOWN arguments, Glenn Washburn, 2020/12/08
- [PATCH v8 09/18] luks2: Add string "index" to user strings using a json index., Glenn Washburn, 2020/12/08
- [PATCH v8 10/18] cryptodisk: Add macro GRUB_TYPE_BITS() to replace some literals, Glenn Washburn, 2020/12/08
- [PATCH v8 14/18] luks2: Better error handling when setting up the cryptodisk, Glenn Washburn, 2020/12/08
- Re: [PATCH v8 14/18] luks2: Better error handling when setting up the cryptodisk,
Daniel Kiper <=
[PATCH v8 15/18] luks2: Error check segment.sector_size, Glenn Washburn, 2020/12/08
[PATCH v8 16/18] mips: Enable __clzdi2(), Glenn Washburn, 2020/12/08
[PATCH v8 18/18] luks2: Use grub_log2ull to calculate log_sector_size and improve readability, Glenn Washburn, 2020/12/08